Honeypot as a learning tool

As usual I'll give my Saturday courses during February and March at the University of Metz, my main topic will cover this year the use of Honeynet/pot technologies to discover and analyze old and new security threats. I was often using honeynets information as a basis for giving courses in network security and software engineering. In the early beginning, I was not really convinced by highly-interactive honeynet as it was more sending a bottle in the sea than having a real target. High-interaction honeynets are catching real attackers but quite often the same kind of attackers and cost a lot in time and money to setup, manage, monitor and analyze. The risks are quite high with highly interactive honeynet as they can be easily used to attack or launch large scale probes on the public Internet. Of course, you can use technical measures (mmmm… Maybe better to say : tricks) to limit the risks of being a nice launching pad for other attacks. It's not perfect, error prone and costly on the management side. After some years, I still think that the use of highly interactive honeynet is sometimes useful but only in rare case.

After a lot of experiment in the area, the low-interaction honeynets1 seem to me more useful and have more practical usage. A lot of honeynets framework exists in order to catch malware, spammer or misconfigured routing… with a reduced risks for their use compared to their highly interactive brother. During the session in Metz, I'll give the opportunity to the student to build their own low-interaction honeynet as a practical example. The approach is not only here to catch security issues in the wild but mainly is a practical hands on where the student can understand the inner working of a specific internet2 protocol, to understand abuse of internet services and the risks when developing (crafting) software. I hope that some of their honeypot projects could be used on the Internet and published (I'll insist on the fact to reuse existing honeynet/pot framework like honeyd in their "creation").

Footnotes:

1. I know the differentiation between low-interaction and high-interaction is sometimes unclear and imprecise.

1. (I) /not capitalized/ Abbreviation of "internetwork".
2. (I) /capitalized/ The Internet is the single, interconnected,
worldwide system of commercial, government, educational, and other
computer networks that share (a) the protocol suite specified by
the IAB (RFC 2026) and (b) the name and address spaces managed by
the ICANN. (See: Internet Layer, Internet Protocol Suite.)